PHPDeveloper.orghttp://www.phpdeveloper.org
Up-to-the Minute PHP News, views and communityen-usTue, 03 Mar 2015 18:23:42 -060030http://www.phpdeveloper.org/news/21007http://www.phpdeveloper.org/news/21007
In her latest post Alison Gianotto looks at a few different ways that you can validate any URLs that your users might give you to ensure they're not anything malicious. She looks at two of the major services, the Google SafeBrowsing API and SURBLs, as well as mentioning a few others.

If you write software for the web that allows users to submit or share URLs (comment systems, mail clients, forums, URL shorteners, etc), you may find yourself in a position where you need to filter out malicious links. Fortunately, there are several free options for you to better protect your systems and your users against bad guys, and they're pretty simple to implement. (My examples are in PHP, but could easily be adapted to whatever language you prefer.)

She starts with an example call to the Google's SafeBrowsing service, making a curl call and parsing the result. The other service, SURBL, makes use of DNS validation calls complete with code examples. She also talks about Phishtank and VirusTotal as other options. She finishes the post with a few suggestions for working with the rate limit restrictions on these services, including things like only checking on click-through and ensuring failure is handled well.

Link: http://www.snipe.net/2014/04/check-user-submitted-urls-for-malware-and-phishing-in-your-application]]>Mon, 07 Apr 2014 10:01:59 -0500http://www.phpdeveloper.org/news/19440http://www.phpdeveloper.org/news/19440
On PHPMaster.com there's a new tutorial posted showing you how to generate one-time use URLs that could be used for various things across an application, including things like account verification links.

A one-time URL is a specially crafted address that is valid for one use only. It's usually provided to a user to gain privileged access to a file for a limited time or as part of a particular activity, such as user account validation. In this article I'll show how to generate, implement, and expire one-time URLs.

Included in the post is the SQL to create a sample "pending_users" table that includes a "token" column for storing the generated hash. Code is also included for generating the hash and checking the incoming URL to see if it matches the requested user (and hasn't expired).

As a matter of general house keeping you could write a secondary script to keep expired tokens from accumulating in the database if a user never follows them. The script could be run periodically by an administrator, or preferably set up as a scheduled task or cron job and run automatically.

Link: http://phpmaster.com/generating-one-time-use-urls]]>Wed, 10 Apr 2013 11:18:56 -0500http://www.phpdeveloper.org/news/18506http://www.phpdeveloper.org/news/18506
On PHPMaster.com today, there's a new tutorial walking you through the creation of a URL shortner - a simple tool that can be used to compact URLs into something easier to manage (and more friendly with services like Twitter).

Most of us are familiar with seeing URLs like bit.ly or t.co on our Twitter or Facebook feeds. These are examples of shortened URLs, which are a short alias or pointer to a longer page link. [...] In this article you'll learn how to create a fully functional URL shortener for your website that will work whether you use a front controller/framework or not. If you use a front controller, I'll discuss you how to easily integrate this URL shortener without having to dig into the controller's programming.

They help you create a simple database to hold the link relationships, the PHP code to create the randomized hash that represents the link and the code to shorten it. There's also the PHP code to take it the other way and decode the shortened version into the full URL. You can find the full code (ready for checkout) over on the PHPMaster.com Github account.

]]>Fri, 21 Sep 2012 12:58:00 -0500http://www.phpdeveloper.org/news/18498http://www.phpdeveloper.org/news/18498
David Müller has a new post to his site today showing why validating URLs with filter_var is a good thing for the security of your application.

Since PHP 5.2 brought us the filter_var function, the time of such [regular expressions-based] monsters was over. [With] the simple, yet effective syntax [and] with a third parameter, filter flags can be passed, [...] 4 flags are available [for URL filtering].

He shows how to use it to filter out a simple XSS issue (a "script" tag in the URL) and some examples of issues that the filter_var function doesn't prevent - like injection of other schemes (like "php://" or "javascript://"). He recommends adding a wrapper around the method to check for the correct scheme (ex. "http" or "https" for URLs) and reminds you that filter_var is not multibyte capable.

]]>Thu, 20 Sep 2012 08:09:31 -0500http://www.phpdeveloper.org/news/18105http://www.phpdeveloper.org/news/18105
On DesignAeon.com there's a recent tutorial posted showing you how to extract URLs from your database and determine which ones are "dead" automatically with the help of cURL.

Checking Deadlinks From the database manually is a Headache ,So why not use a script which return the http status of the particular link and tell us if the link is dead or not.So how do we check the dead links from the database ? How do we programatically check whether the link is dead or not ? To check broken or dead links from Database we will use curl .

Included in the post is a sample script that extracts the URLs from a field in the database (you'd need some extra smarts if you're pulling it from content) and running it though a "checklink" function. If the call to curl_getinfo returns false, the link is marked dead.

]]>Mon, 18 Jun 2012 09:45:55 -0500http://www.phpdeveloper.org/news/17844http://www.phpdeveloper.org/news/17844
In this new post to his blog Gaurish Patil shows users of the Yii framework how they can update their configuration settings to hide the "index.php" in their requests and make cleaner URLs.

Finally we figure out the basics of Yii. While working on basic of Yii, I want to rewrite the url to SEO friendly. So I started to search on google, forum got useful information here http://www.yiiframework.com/doc/guide/1.1/en/topics.url To hide the index.php from url I did changes in config/main.php [...] and I created new .htaccess file in the same directory as my index.php file.

The changes are pretty simple - it's mostly a change to the "urlManager" setting to provide some rules for mapping controller and actions to the right place. The .htaccess file uses Apache's mod_rewrite functionality to grab the requested URL and remap it back to lay on top of the "index.php" front controller for the request.

]]>Fri, 20 Apr 2012 09:27:06 -0500http://www.phpdeveloper.org/news/17353http://www.phpdeveloper.org/news/17353
Sharon Levy has a new post to her blog showing a trick she's come up with to show the PHP version information (usually found in the phpinfo) even when it's disabled.

Sometimes the most crucial, basic piece of information can seem so hard to find. For example, suppose you wanted to find out what version of PHP your remote webhost provides to shared hosting users? What would you do? [...] For development purposes it can be helpful having phpinfo() available, but on a live shared host, you may discover as I did recently that it is no longer available; your host may have disabled it.

She includes three other ways you can use to get the version of PHP you're working with:

]]>Thu, 05 Jan 2012 13:20:40 -0600http://www.phpdeveloper.org/news/17009http://www.phpdeveloper.org/news/17009
On his blog today Sameer Borate has a new post with a handy bit of code you can use to find the keywords from a search engine referral to help with tracking how visitors have come to your site.

A couple of weeks back I had to write a solution for a client to track the referrer search engine from where the user came to his sites contact page, without using Google Analytics. If a user was to fill the contact form on the website, the referring search engine name and the keyword for which it was refereed was to be emailed along with the contact information. The following is a solution for the same.

The code itself is pretty simple - it checks the $_SERVER['HTTP_REFERER'] and, based on an array of search engine types, looks for a certain "query" keyname in the URL and matches what follows (with a regular expression). This can be useful for not only determining what sort of audience is visiting your site, but could also be used to present a custom message to visitors from certain search engines (or, more complicated, to show different content based on search terms).

]]>Tue, 18 Oct 2011 13:25:27 -0500http://www.phpdeveloper.org/news/16889http://www.phpdeveloper.org/news/16889
Lars Tesmer has a suggestion for all of the unit testers out there (you do unit test your code, right?) when needing to test a piece of code that makes a call to something on the file system or a remote resource. Their examples come from tests written against the Assetic codebase.

For our most recent After Work Hacking my co-workers and me decided to write unit tests for the open source project Assetic. That turned out to be a better decision than our last one, yet we still ran into an interesting challenge.

In testing the HttpAsset class from the tool, they came across the problem - a call to a remote/file resource that could not be tested because of a file_get_contents call that depends on an external source. They came up with a few options to try to test this example, some better than others:

Give it a real URL to test with

Wrap the file_get_contents inside of a new class (ex. a "ContentFetcher")

In their case, vfsStream couldn't be used due to how the fetch call was made, but the tool can be very handy if you need to mock out an external file system resource.

]]>Wed, 21 Sep 2011 12:04:47 -0500http://www.phpdeveloper.org/news/16648http://www.phpdeveloper.org/news/16648
Lorna Mitchell has a quick post to her blog today showing how you can use a simple curl call from PHP to shorten urls with bit.ly and pull back the result.

I've been looking around for a really simple API that would be a nice place to get started using web services from PHP - and I realised that bit.ly actually fits the bill really well. They have straightforward api docs on google code, and it's also a pretty simple function!

Her code is about three lines consisting of a curl_init call to the bit.ly server with the URL, a curl_setopt to tell it to return the information and a curl_exec to execute. The result is a JSON string easily decoded with a "url" parameter containing the newly minted short URL. She also briefly mentions some of the other features of the bit.ly API including reverse translation and bundling of links.